9.5.3 Quiz – Reporting and Communication Answers

Explanation: Vulnerability scanners rely heavily on catalogs of known vulnerabilities. The two catalogs of known vulnerabilities that a cybersecurity analyst should be familiar with are the Common Vulnerability Scoring System (CVSS), which provides a score from 0 to 10 that indicates the severity of a vulnerability, and Common Vulnerabilities and Exposures (CVE), which is a list of publicly known vulnerabilities, each assigned an ID number, description, and reference. OWASP WSTG is a comprehensive guide focused on web application testing. NIST SP 800-115 is a document to provide organizations with guidelines on planning and conducting information security testing.

Explanation: Vulnerability scanners rely heavily on catalogs of known vulnerabilities. The two catalogs of known vulnerabilities that a cybersecurity analyst should be familiar with are Common Vulnerabilities and Exposures (CVE), which is a list of publicly known vulnerabilities, each assigned an ID number, description, and reference, and Common Vulnerability Scoring System (CVSS), which provides a score from 0 to 10 that indicates the severity of a vulnerability. OWASP WSTG is a comprehensive guide focused on web application testing. NIST SP 800-115 is a document to provide organizations with guidelines on planning and conducting information security testing.

Explanation: Place the options in the following order:

Explanation: CVSS uses three metric groups in determining scores. The Base metric group includes exploitability metrics (for example, attack vector, attack complexity, privileges required, user interaction) and impact metrics (confidentiality impact, integrity impact, availability impact).

Explanation: CVSS uses three metric groups in determining scores. The Environmental metric group includes modified base metrics, confidentiality, integrity, and availability requirements.

Explanation: CVSS uses three metric groups in determining scores. The Temporal metric group includes exploit code maturity, remediation level, and report confidence.

Explanation: Dradis is a handy little tool that can ingest the results from many of the penetration testing tools a cybersecurity analyst uses and help this professional produce reports in formats such as CSV, HTML, and PDF.

Explanation: During a penetration testing engagement, the cybersecurity analyst should analyze the findings and recommend the appropriate remediation within the report, including technical, administrative, operational, and physical controls. Technical controls make use of technology to reduce vulnerabilities. Technical controls include system hardening, user input sanitization and query parameterization, multifactor authentication, process-level remediation, patch management, key rotation, certificate management, secrets management solution, and network segmentation.

Explanation: During a penetration testing engagement, the cybersecurity analyst should analyze the findings and recommend the appropriate remediation within the report, including technical, administrative, operational, and physical controls. Technical controls make use of technology to reduce vulnerabilities. Technical controls include system hardening, user input sanitization and query parameterization, multifactor authentication, process-level remediation, patch management, key rotation, certificate management, secrets management solution, and network segmentation.

Explanation: The use of input validation (sanitizing user input) best practices is recommended to mitigate and prevent vulnerabilities such as cross-site scripting, cross-site request forgery, SQL injection, command injection, XML external entities, and other vulnerabilities. OWASP provides several cheat sheets and detailed guidance on preventing these vulnerabilities.

Explanation: During a penetration testing engagement, the cybersecurity analyst should analyze the findings and recommend the appropriate remediation within the report, including technical, administrative, operational, and physical controls. Administrative controls are policies, rules, or training designed and implemented to reduce risk and improve safety. Examples of administrative controls are role-based access control (RBAC), secure software development life cycle, minimum password requirements, and policies and procedures.

Explanation: During a penetration testing engagement, the cybersecurity analyst should analyze the findings and recommend the appropriate remediation within the report, including technical, administrative, operational, and physical controls. Operational controls focus on day-to-day operations and strategies. Operational controls include job rotation, time-of-day restrictions, mandatory vacations, and user training.

Explanation: During a penetration testing engagement, the cybersecurity analyst should analyze the findings and recommend the appropriate remediation within the report, including technical, administrative, operational, and physical controls. Physical controls use security measures to prevent or deter unauthorized access to sensitive locations or material. Physical controls include access control vestibule, biometric controls, and video surveillance.

Explanation: Place the options in the following order:

Explanation: False positives are “false alarms” or “benign triggers.” They are problematic because triggering unjustified alerts diminishes the value and urgency of real alerts.

Explanation: False positives are situations in which a security device triggers an alarm, but no malicious activity or actual attack occurs. They are problematic because triggering unjustified alerts diminishes the value and urgency of real alerts.

Explanation: False negatives are malicious activities not detected by a network security device. False positives are situations in which a security device triggers an alarm, but no malicious activity or actual attack occurs. True positives are successfully identifying a security attack or a malicious event. True negatives occur when an intrusion detection device identifies an activity as acceptable behavior, and the activity is acceptable.

Explanation: True negatives occur when an intrusion detection device identifies an activity as acceptable behavior, and the activity is acceptable. False negatives are malicious activities not detected by a network security device. False positives are situations in which a security device triggers an alarm, but no malicious activity or actual attack occurs. True positives are successfully identifying a security attack or a malicious event.

Explanation: True positives are successful identification of security attacks or malicious events. True negatives occurs when an intrusion detection device identifies an activity as acceptable behavior, and the activity is actually acceptable. False negatives are malicious activities that are not detected by a network security device. False positives are situations in which a security device triggers an alarm but there is no malicious activity or actual attack taking place.

Explanation: The use of input validation (user input sanitization) best practices is recommended to mitigate and prevent vulnerabilities such as cross-site scripting, cross-site request forgery, SQL injection, command injection, XML external entities, and other vulnerabilities.

Explanation: Role-based access control (RBAC) is a control that bases access permissions on a specific role or function. Administrators grant access rights and permissions to roles. Each user is then associated with a role. Users can belong to multiple groups. RBAC enables to control what users can do at both broad and granular levels.

Explanation: User training is an example of operational controls often allowing organizations to improve security operations. A user should have the training and provide written acknowledgment of rights and responsibilities before being granted access to information and information systems. The National Institute of Standards and Technology (NIST) published Special Publication 800-50, “Building an Information Technology Security Awareness and Training Program,” which succinctly defines why security education and training are important.

Explanation: Common Vulnerability Scoring System (CVSS), which was developed and is maintained by FIRST.org, provides a method for calculating a score for the seriousness of a threat. The scores are rated from 0 to 10, with 10 being the most severe.

Explanation: Technical controls make use of technology to reduce vulnerabilities. System hardening is an example of technical control that can be recommended as mitigation and remediation of the vulnerabilities found during a pen test. System hardening involves applying security best practices, patches, and other configurations to remediate or mitigate the vulnerabilities found in systems and applications.